From owner-freebsd-security Thu Jan 6 20:31:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from povray.org (netplex.aussie.org [204.213.191.226]) by hub.freebsd.org (Postfix) with ESMTP id 8B2E414E65 for ; Thu, 6 Jan 2000 20:31:47 -0800 (PST) (envelope-from casonc@netplex.aussie.org) Received: from frankenputer (dubsat-23 [210.8.162.23]) by povray.org (8.9.3/8.9.3) with SMTP id XAA55246 for ; Thu, 6 Jan 2000 23:10:11 -0500 (EST) (envelope-from casonc@netplex.aussie.org) Message-ID: <002e01bf58c5$18cd90f0$cc0010ac@melbbureau.central.dubsat.com.au> From: "Chris Cason [work]" To: Subject: Port scans and site theft from IP inside mr.net Date: Fri, 7 Jan 2000 15:10:08 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.5600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.5600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is just a heads-up about some activity I've just seen, and also I guess a query as to whether or not you guys have seen this happen before. I'm the server admin of a graphics site that is reasonably popular (www.irtc.org). Recently, we had a person write to us complaining that we were port- scanning him and could we please explain why ? He included some logs that showed that the port scans were coming from 137.192.77.10. Now, this is nothing whatsoever like our IP address, so we were kind of scratching our heads wondering why he wrote to -US- to complain, until we noticed that, if we made a HTTP connection to 137.192.77.10, you got an exact duplicate of our site. To make sure it wasn't a mirage, we changed a page on our site, hit the above one, and sure enough the unchanged version was present. Whoever is operating the site has evidently gone to the trouble of copying a large chunk of our site (I suspect using a reverse-proxy) for some unknown reason. I assume it's a reverse proxy since, now that I have ipfw'd his system off from ours, I still see it hitting my HTTP ports from time to time. I've also seen him pinging us since. He has now configured his system to deny IP from my server, though I can still ping him from elsewhere. Finally, the web server that was running at 137.192.77.10 port 80 is now either not there at all, or he's configured it not to accept connections from any of the networks that we were previously using to look at what he was doing. I believe it is still there as I am still getting attempted connections from his server to mine on port 80. Given that he was port-scanning I can only guess that he wanted people to complain to us instead of him, but that doesn't seem to make a lot of sense either (it's kind of a weak cover). I'm curious to see if anyone else here is able to see his web server anymore, and if so, if they could take a screen-shot including the browser's address bar (as I didn't do so while I had the chance) Also, if anyone has seen anything like this in the past and can shed any more light on it I'd appreciate knowing. FWIW, we have complained twice to mr.net (the hosts of this ip) over the past week, and apart from their automated response, have been greeted with nothing but thunderous silence. It appears to me that they have little concern about this sort of activity. In fact I don't even know myself if it's actually illegal (though it's certainly unethical if it's not). thanks, -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message